We collect, use and are responsible for certain Personal Information about you. When we do so we are subject to the General Data Protection Regulation, which applies across the European Union (including in the United Kingdom) and we are responsible as ‘controller’ of that Personal Information for the purposes of those laws.
- For information concerning Aviva please visit aviva.com
- For a full list of the Aviva trading companies in the UK please see our list of Aviva companies
means the end customers who you act for as an Aviva intermediary.
|“Intermediary Firm”|| |
means a firm acting as an adviser, broker and/or healthcare intermediary capacity.
|“Personal Information”||means any information relating to an identified or identifiable individual.|
has the meaning specified in the “How your Personal Information is collected section” below.
|“Special Category Personal Information”|| |
- Personal Information revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership;
- Genetic and biometric data; and
Data concerning health, sex life or sexual orientation.
|“Terms of Business”|| |
means the contract between your Intermediary Firm and Aviva governing their role as an intermediary for Aviva products and services.
|“Website”||means the Aviva Connect Website.|
|“We”, “us”, “our” or “Aviva”||has the meaning set out in the paragraph headed “Aviva” above.|
|“You” “Your”||has the meaning set out in the first paragraph of the “Introduction” section above.|
Personal information we collect about you
We may collect and use the following personal information about you:
- Basic personal details such as your name, address, email address, telephone number and postcode;
- Account registration details, such as username and password;
- Information about the Intermediary Firm you work for and your role within the firm, including the firm name, firm size, your firm role and FCA number;
- Information about your marketing preferences;
- If you are a director or partner of your Intermediary Firm, we will need to check and verify your identity and will collect information about your date of birth, National Insurance Number and current and previous three years’ addresses together with performing credit or other financial checks on you;
- Transactions you have completed and quotations you have requested;
- Information about how you use the Website, IT, communication and other systems.
- Your responses to surveys, competitions and promotions;
This Personal Information is required to provide products and/or services to you in your capacity as an intermediary for Aviva. If you do not provide Personal Information we ask for, it may delay or prevent us from providing these products and/or services to you.
How your personal information is collected
We collect information about you when you or your Intermediary Firm does business with us, including dealings we have with you through a number of channels, such as:
- If you create an online user account or use the Website;
- If you use any of our online services, including tools, information and functionality to help you manage new and existing products online through the Website ("the Services");
- If you participate in any competitions;
- If you record Continued Professional Development activity with us;
- If you take part in activities for the Aviva Community Fund;
- If you contact or communicate with us by telephone, mail, email, text, via the Website or in person;
- Via our IT systems, e.g. automated monitoring of our websites and other technical systems, such as our computer networks and connections, communications systems, email and instant messaging systems.
Use of third-party information
We obtain information about your Intermediary Firm and your Customers from our third-party suppliers and databases (including for example, Diligenta, FNZ, Capita, iPipeline and Acturis). We also use commercial property websites and government websites who assist with marketing insights, pricing research, product development, business strategy and to help us detect and prevent fraudulent activity including for example third party sanction screening providers and credit reference agencies. This includes publicly available information for example from the FCA and Companies House.
We may also gain information from other third parties with your consent, e.g. your bank.
How and why we use your personal information
Under data protection law, we can only use your Personal Information if we have identified a legal basis for doing so, such as
- to comply with our legal obligations;
- for the performance of our contract with you or to take steps at your request before entering into a contract;
- for our legitimate interests or those of a third party; or
- where you have given consent.
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
The sections below explain what we use (process) your personal information for, our reasons and legal basis for doing so:
1. To allow you and your Intermediary Firm to do business with us - we will use your information to:
- set up an account with us;
- maintain that account;
- allow you to access and make use of the Website and our Services;
- administer and manage products that your Customers have with us;
- manage queries and complaints which may involve you, your Intermediary Firm or your Customers;
We use Personal information for the purposes outlined in this paragraph 1 to support the legitimate interests of our business as an insurer, and also to perform our contract to provide your firm with products and services in accordance with the Terms of Business we have in place and in the interests of providing an efficient service to you, your firm and your Customers.
2. To market our products and services and make improvements to our operations:
- we will use your personal information to keep you informed about our products and services which we understand will be of interest to you, consistent with your marketing preferences. We explain more about this in our section on Marketing Communications and Cookies .
- we will also use your personal information for research and statistical purposes to analyse how you use our Website and Services so we can improve our understanding of your needs and enhance our products and services.
We use Personal Information for the purposes outlined in this paragraph 2 for our legitimate interests or those of a third party, to promote our business and to be as efficient as we can so we can deliver the best service for you at the best price.
3. To meet responsibilities we have to our regulators, tax officials, law enforcement and other similar bodies:
- if you are a director or partner of your firm, we will carry out appropriate verification and credit checks. We use personal information for these purposes to comply with requirements we have under financial conduct rules and laws relating to anti-money laundering, financial crime and to prevent and detect fraud (see our section on Fraud Prevention and Detection for more information).
- gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies
- carry out necessary background checks to make sure you and your Intermediary Firm are legitimate persons to do business with in accordance with our Terms of Business (we explain more about this in our section on Fraud Prevention and Detection).
- preventing unauthorised access and modifications to systems
- ensuring the confidentiality of commercially sensitive information
We use personal information for the purposes outlined in this paragraph 3 to meet our legal obligations and for our legitimate interests or those of a third party, to prevent and detect criminal activity that could be damaging for us and for you.
Who we share your personal information with
We will also share information about you with:
- our regulators and law enforcement as necessary for purposes of Fraud Prevention and Detection;
- online or digital partners we work with so we can communicate with you through their platforms;
- other third-party systems providers whose systems you request access to as part of your online account registration with us;
- your Customers if they have queries about the services between you, them and us;
- Aviva PLC group companies;
- third parties we use to help deliver our products and services to you, e.g. payment service providers;
- other third parties we use to help us run our business, e.g. marketing agencies or website hosts;
- third parties approved by you, e.g. social media sites you choose to link your account to or third-party payment providers;
- credit reference agencies; and
- our banking partners.
We only allow our service providers to handle your Personal Information if we are satisfied that they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers relating to ensure they can only use your Personal Information to provide services to us and to you. We may also share Personal Information with external auditors.
We may also need to share some Personal Information with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, information will be anonymised, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
Important note on your responsibilities in handling customer data
Your firm is responsible for the lawful collection of personal information relating to any Customers with whom you do business. This includes collection and use of personal information about your Customers and any third parties whose details we may need to prepare a policy or personalised quote. Your firm must, at all times, have your Customer’s authority to share their personal information with us and it is your firm's responsibility to ensure your Customers are provided with fair processing notices which explain these arrangements to them and secure any necessary consents or other legal basis that may be required to allow this personal information to be shared with us for these purposes.
Your firm is expected to not act in any way in relation to your handling of Customer’s Personal Information which might reasonably damage the reputation or goodwill of Aviva or its relationship with its Customers. Your firm must provide to us all information in your possession concerning any unauthorised or accidental disclosure of, or access to, the Personal Information of your Customers including as a result of any unauthorised access to the Services.
Fraud prevention and detection
In order to prevent and detect fraud we may at any time:
- share information about you with other organisations and public bodies including the Police;
- undertake credit searches and additional fraud searches;
- check and/or file your details with fraud prevention agencies and databases, and if you give us false or inaccurate information and we suspect fraud, we will record this to prevent fraud and money laundering.
We can supply on request further details of the agencies and databases we access or contribute to and how this information may be used. If you require further details, contact us at:
Policy Investigation Unit, Policy Investigation Unit, Po Box 121, Surrey Street, Norwich, NR1 3ZH
Telephone: 0345 300 0597
We and other organisations may also search these agencies and databases to:
- help make decisions about the provision and administration of insurance, credit and related services;
- trace debtors or beneficiaries, recover debt, prevent fraud;
- check your identity to prevent money laundering, unless you furnish us with other satisfactory proof of identity.
- Any requests for information we receive from law enforcement or regulators will be carefully validated before Personal Information is disclosed.
Where your personal information is held
Information may be held at our offices and those of our group companies, third party agencies, service providers, representatives and agents as described above (see above: ‘Who we share your personal information with’.
Some of these third parties may be based outside the European Economic Area. For more information, including on how we safeguard your personal information when this occurs, see below: ‘Transferring your personal information out of the EEA’.
Transferring your personal information out of the UK
Some of the organisations we share information with may be located outside of the United Kingdom ("UK"). These transfers are subject to special rules under European and UK data protection law. We will always take steps to ensure that any transfer of information outside the UK is carefully managed to protect your privacy rights:
- transfers within the Aviva Group will be covered by an agreement entered into by members of the Aviva Group (an intra-group agreement) which contractually obliges each member to ensure that your personal information receives an adequate and consistent level of protection wherever it is transferred within the Group;
- where we transfer your data to non-Aviva Group members or other companies providing us with a service, we’ll obtain contractual commitments and assurances from them to protect your personal information. We only transfer personal information to countries which are recognised as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights.
You have a right to ask us for more information about the safeguards we have put in place as mentioned above. To learn more, see our section on Your Rights.
How long your personal information will be kept
We will keep your Personal Information while your firm has an account with us, or we are providing products and/or services to you. Thereafter, we will keep your Personal Information for as long as is necessary:
- to respond to any questions, complaints or claims made by you or on your behalf;
- to show that we treated you fairly;
- to keep records required by law.
We may also retain personal information, where we have identified a legal basis for doing so, in an aggregated form which allows us to continue to develop and improve our products and services.
When it is no longer necessary to retain your personal information, we will delete or anonymise it.
You have legal rights under data protection laws in relation to your Personal Information. Click on the links to learn more about each right you may have:
- To access Personal Information
- To withdraw consent
- To correct / erase Personal Information
- To restrict how we use Personal Information
- To object to how we use personal information
- To ask us to transfer Personal Information to another organisation
- To object to automated decisions
- To find out more about how we use Personal Information
We may ask you for proof of identity when making a request to exercise any of these rights. We do this to ensure we only disclose information where we know we’re dealing with the right individual.
We’ll not ask for a fee, unless we think your request is unfounded, repetitive or excessive. Where a fee is necessary, we’ll inform you before proceeding with your request.
We aim to respond to all valid requests within one month. It may however take us longer if the request is particularly complicated or you have made several requests. We’ll always let you know if we think a response will take longer than one month. To speed up our response, we may ask you to provide more detail about what you want to receive or are concerned about.
We may not always be able to do what you have asked, for example if it would impact the duty of confidentiality we owe to others, or if we’re otherwise legally entitled to deal with the request in a different way.
Accessing personal information
You can ask us to:
- confirm whether or not we have and are using your Personal Information
- get a copy of your personal information
Where we’ve asked for your consent to use your Personal Information, you’ll always have the right to withdraw such consent. Please contact us if you want to do this. If you withdraw your consent, we may not be able to provide certain products and services to you. If this is the case, we’ll tell you at the time you ask to withdraw your consent.
Correcting / erasing personal information
You can ask us to:
- correct any information about you which is incorrect. We’ll be happy to correct such information but will need to verify the accuracy of it first.
- erase your Personal Information if you think we no longer need to use it for the purpose we collected it from you.
- erase your Personal Information if you have either withdrawn your consent to us using your information (if we originally asked for your consent to use your information), or exercised your right to object to further legitimate use of your information, where we have used it unlawfully or where we’re subject to a legal obligation to erase your Personal Information.
We may not always be able to comply with your request, for example, if we need to keep using your personal information in order to comply with our legal obligation or where we need to use it to establish, exercise or defend legal claims.
Restricting our use of personal information
You can ask us to restrict our use of your Personal Information in certain circumstances, for example, where:
- you think the information is inaccurate and we need to verify it;
- our use of your Personal Information is not lawful, but you do not want us to erase it;
- the information is no longer required for the purposes for which it was collected but we need it to establish, exercise or defend legal claims; or
- you have objected to our use of your Personal Information, but we still need to verify if we have overriding grounds to use it.
We can continue to use your Personal Information following a request for restriction if we have your consent to use it; or you need to use it to establish, exercise or defend legal claims, or we need to use it to protect the rights of another individual or a company.
Objecting to use of personal information
You can object to any use of your Personal Information which we have justified on the basis of our legitimate interest, if you believe your fundamental rights and freedoms to data protection outweigh our legitimate interest in using the information. If you raise an objection, we may continue to use the Personal Information if we can demonstrate that we have compelling legitimate interests to use the information.
Requesting a transfer of personal information
You can ask us to provide your Personal Information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller (e.g. another company).
You may only exercise this right where we use your Personal Information in order to perform a contract with you, or where we asked for your consent to use your Personal Information. This right does not apply to any personal information which we hold, or process based on our legitimate interest or which is not held in digital form.
Obtaining a copy of our safety measures
You can ask for a copy of, or reference to, the safeguards we have put in place when your personal information is transferred outside of the European Economic Area. We’re not required to share details of these safeguards if sharing such details would affect our commercial position or create a security risk.
Contacting us for more information
- what Personal Information we have about you
- what we use it for
- who we share it with
- whether we transfer it abroad
- how we protect it
- how long we keep it for
- what rights you have
- how you can make a complaint
- where we got your data from
- whether we have carried out any automated decision-making using your personal information.
For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please contact us using the details in the section below. When you make a request please can:
- let us have enough information to identify you;
- let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
- let us know what right you want to exercise and the information to which your request relates.
We have appropriate security measures to prevent personal information from being accidentally lost or used or accessed unlawfully. We limit access to your Personal Information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
How to complain
We hope that we can resolve any query or concern you may raise about our use of your Personal Information.
The General Data Protection Regulation also gives you right to lodge a complaint with a Supervisory Authority, in particular, in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The Supervisory Authority in the UK is the Information Commissioner who may be contacted at ico.org.uk/concerns or telephone: 0303 123 1113. We ask that you please attempt to resolve any issues with us before contacting the Information Commissioner.
How to contact us
Address: The Data Protection Team, Aviva, Pitheavlis, Perth, PH2 0NH.